Gleb NaumovichWhat’s the purpose of visibility modifiers?InformationhidingVisibility of a class (interface, field, method)should be as restricted as possibleClearabstractionofprogramcomponentsDoesvisibilityofprogramcomponentsaffectsecurity?Intuitively, it should

Gleb NaumovichSituations arise where different parts ofthe application should not use the sametypeOften,becausedifferentaccesslevelsexistforaccessinginformationinthetypeE.g., Auction administrators may need to getaccess to history information about users, butusers themselves should notpackage auction.common;public interface User {public

Gleb NaumovichSolutions?SacrificesimplicityofdesignforsecurityNeed two different interfaces and two differentclasses to represent users

Having two different interfaces and one class thatimplements both of them does not work for the samereasons private fields do not protect data on the clientmachineItisimportantnottothrowgooddesignprinciplesoutthewindow,blamingsecurityTwo different user implementation classes shoulddo code reuseSeveral design patterns are useful in suchsituations

Gleb NaumovichJavainner classesClasses defined asmembers of other classesInner classes are allowedto access privatemembers of the enclosingclass and vice versaFor each instance of theouter class there is acorresponding instance ofthe inner classUseful especially fordefiningin-lineimplementations of simpleinterfacesclass A {privateinta;

Gleb NaumovichBut so what --- attacker classes will be inother packages, right?DefenseindepthisoneoftheimportantprinciplesofsecurityUsinginnerclassesremovesoneofJavasecuritybarriers---privatevisibilityInprinciple,fixingthewayinnerclassesinJavaarehandledwouldn’tbetoodifficultProposal by Bill PughBased on sharing a secret key among all classesthat need access to private members of a class

Gleb NaumovichObject immutabilityAn object isimmutableif its state cannot bemodifiedOnce created, none of the fields can be changedExample:StringAdvantages of immutability:Sometimes, good API design requires itSimplicity --- if you want to change an object, create anew oneCan be shared freely --- no side-effects are possibleIn some cases, to check equality, instead of checkingequality of fields, can check whether two variables ofimmutable types are a reference to the same objectDisadvantages of immutability:Many objects may need to be created

Can be solved by having a mutable counterpart for eachimmutable class•E.g.StringBuffer

CollectionunmodifiableCollection(Collectionc)Wait, but if it returns aList, the client code can still callmethods that modify the list, e.g. add?All methods thatwouldmodify the list throw exceptionUnsupportedOperationExceptionThis method is not as good as having a special immutable type

Gleb NaumovichSending objects betweenJVMsJ2EEprogramsallowremotemethodcalls(callsacrossJVMs).Wesurecan’t doargumentpassingbyreference…Intuitively, need to write data in an object as astream of bitsTedious if we have to do it for every classCan get complicated and error-prone if objectsare complex (lots of references to other objects)InJava,theobjectserialization

Gleb NaumovichDefault serialization mechanism is oftenunacceptable for performance reasonsSeecourse916.serialization.IntegerMapAlthoughHashMapis a serializableclass, its objects often arevery expensive to serializeHolds true for most complex data structuresIn many cases, it is faster to re-construct the data structuregiven its elementsSeecourse916.serialization.IntegerMapImproved

Serialization format inIntegerMapImproveddoes not!•Later versions may use any data structure that storespairsHashtablesaregenerallytrickytoserializeEven the same version of JVM may fail to de-serialize a hash table

E.g. use of HashSetDevelopers often have to reconcile objects alreadyon the server with objects received from clientsOften causes bugsSerialization of objects should be an important partofdesignofWebapplications